My mental model of the name / account number / sort code combo was that of the public key: it allows people to send (but not to receive, or authorize any other operation) money to me with it. Yet, above, and many references on the net seem to also imply direct debit, and money withdrawal via cheques.

Google your name and see what you get. The moment I get your birthday and your address (from google), I can use the account and sort code to get all your money. It is so simple. Direct debit only needs your name and bank SC and Acc number. So it is easy to set it up. But you have the safety that the money will be returned back if proof is there of an illegal thing.
–
DumbCoderJan 4 '13 at 15:06

DumbCoder, could you clarify whether one could, and how one would set up a Direct Debit with only these informations available?
–
Silver DragonJan 5 '13 at 21:29

Have you ever set up a direct debit in UK ?? If yes then you should know.
–
DumbCoderJan 6 '13 at 10:45

No, I mean, how a different organisation would set up direct debit to them, using only my account information?
–
Silver DragonJan 7 '13 at 4:48

3 Answers
3

I think the answer to this must differ from country to country. I have lived in several countries where the normal everyday way of making a payment is to instruct my bank to transfer the money to the recipient's account. Of course this means I must know his name, SC and account number – but this is an accepted part of the system; businesses routinely display that information on invoices and correspondence. It is simply not regarded as confidential.

DumbCoder's comment suggests that if he has that information he can take money from my account without my permission – in other words, my bank will pay money out of my account on someone else's request, without my authority. Is this correct? In which country or countries can this happen?

I am citing the case in UK. I can access my telephone banking based on this information, some banks have introduced a secret word. But it will not take much time for a resouceful crook to figure out the secret word with the plethora of information available online about oneself, nowadays. Don't assume you are safe too in your country, wherever you are from.
–
DumbCoderJan 4 '13 at 21:58

As edited question says: this is specifically for the UK, and without compromised passwords.
–
Silver DragonJan 5 '13 at 21:26

I admit that when I wrote my answer, it had not occurred to me that any bank would accept a payment instruction from a customer without either a signature on paper or a password on line. I still have doubts about whether that can happen; I wouldn't keep my money in a bank that would allow it.
–
abacusJan 6 '13 at 15:12

You can give them your credit card details: Name on Card, zip code, credit card number, and 3 or 4 digit security code on the back. Most of the information is available on the card or via an easy Google search. If the crook has your card they can use it to buy something.

You can contact your bank's website and establish a one time or recurring transfer. You provide the information about the person/company. Your bank knows who you are because you used a secure system and your password. Their bank accepts the money because who would refuse money, they don't care who you are.

You can provide the company with your bank info (bank number, your account number, and your name). If your bank limits their transactions via this method only to legitimate organizations, then your money will only be sent to legitimate organizations. But if the organization has no way of knowing who is on the other end of the phone or webpage, they may be withdrawing money from a bank account without the account owners permission.

In the example article a person found a charity that had lax security standards, they were recognized by the bank as a legitimate organization, so the bank transferred the money. The charity will point to the form and say they had permission from the owner, but in reality they didn't.

The subject of the article was correct, all the info required is on every check. It is just that most people are honest, and the few security hurdles that exist do stop most of the fraud.

Setting up a DD is not easily approved by the banks as you must prove a existing business cash flow.

And secondly you cannot empty someone's account via DD as they are protected by the DD mandate.
(Money goes out, complaint is made, money goes back in, the registered business with the DD facility has some serious explaining to do to the bank and FCA).